Show vulnerabilities with patch / with exploit
10 June 2019

After years of silence ICEFOG APT malware returns in new wave of attacks


After years of silence ICEFOG APT malware returns in new wave of attacks

At least several hacking groups are using modified and more dangerous versions of malware developed by Chinese state-sponsored crew ICEFOG (aka Fucobha), which was previously considered to have been disappeared from the threat landscape. ICEFOG malware were used against mainly government organizations and defense industry of South Korea and Japan. Initially, the group’s activity was first described in a Kaspersky report in 2013 and following the exposure ICEFOG ceased its operations. But it appears that ICEFOG malware is still remains active and has become more advanced, according to FireEye senior researcher Chi-en (Ashley) Shen.

In a presentation at a CONFidence cyber-security conference in Poland this week Shen said she discovered new and upgraded variants of the ICEFOG malware. Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Both ICEFOG versions were more complex than the original backdoor used in hacking operations back in 2010’s, suggesting that the threat actors continued to work on the capabilities of the malware. Also, Shen said that she discovered a Mac version of the ICEFOG malware, previously unseen.

According to the researcher, these ICEFOG variants were used in various hacking campaigns associated with different cybercriminal groups. “The operations between 2011 and 2013 were pretty consistent, suggesting one group and an exclusive use of the malware. The new variant was seemingly used by multiple groups after the 2013 campaign,” said Shen. This means that ICEFOG has transformed from the malware that was exclusively in the use of one cyberespionage group into the tool shared by multiple hacking units.

Shen spotted variants of the ICEFOG malware in attacks targeting:

  • an unnamed agriculture company in Europe in 2015

  • government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)

  • the government of multiple former Soviet states in 2015 (Roaming Tiger)

  • Kazach officials in 2016 (APPER campaign)

  • water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan in 2018 (WATERFIGHT campaign)

  • an unknown entity in the Philippines in 2018 (PHKIGHT campaign)

  • organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)

In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan. The evidence suggests the campaign might have been active since at least 2018. Attackers leveraged CVE-2017-11882 shared exploit template and used a fileless version of the ICEFOG-M.

Indicators of compromise (IOCs) are available here.

Back to the list

Latest Posts

Weekly security roundup: May 25

Weekly security roundup: May 25

A massive cyber attack against Israeli websites,the EasyJet's data breach, the arrest of a hacker known as Sanix, responsible for selling billions of hacked user credentials, and more.
25 May 2020
A huge Thai database leaked 8.3 billion internet records

A huge Thai database leaked 8.3 billion internet records

According to the researcher, anyone having access to this data can “paint a picture of what a person does on the Internet.”
25 May 2020
Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT

Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT

The attacks appear more focused and sophisticated on victims from Kuwait.
25 May 2020